easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

kube-prometheus/jsonnet: Use jsonnet-bundler

Browse Source
This commit is contained in:
Frederic Branczyk
2018-04-25 15:04:20 +01:00
parent 992bcdccc1
commit edf21e4382
141 changed files with 11505 additions and 7219 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
jsonnet/alertmanager/alertmanager-main-secret.libsonnet
View File

@@ -1,8 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local secret = k.core.v1.secret;
{
new(namespace, plainConfig)::
secret.new("alertmanager-main", {"alertmanager.yaml": std.base64(plainConfig)}) +
secret.mixin.metadata.withNamespace(namespace)
}

8
jsonnet/alertmanager/alertmanager-main-service-account.libsonnet
View File

@@ -1,8 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local serviceAccount = k.core.v1.serviceAccount;
{
new(namespace)::
serviceAccount.new("alertmanager-main") +
serviceAccount.mixin.metadata.withNamespace(namespace)
}

32
jsonnet/alertmanager/alertmanager-main-service-monitor.libsonnet
View File

@@ -1,32 +0,0 @@
{
new(namespace)::
{
"apiVersion": "monitoring.coreos.com/v1",
"kind": "ServiceMonitor",
"metadata": {
"name": "alertmanager",
"namespace": namespace,
"labels": {
"k8s-app": "alertmanager"
}
},
"spec": {
"selector": {
"matchLabels": {
"alertmanager": "main"
}
},
"namespaceSelector": {
"matchNames": [
"monitoring"
]
},
"endpoints": [
{
"port": "web",
"interval": "30s"
}
]
}
}
}

12
jsonnet/alertmanager/alertmanager-main-service.libsonnet
View File

@@ -1,12 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local service = k.core.v1.service;
local servicePort = k.core.v1.service.mixin.spec.portsType;
local alertmanagerPort = servicePort.newNamed("web", 9093, "web");
{
new(namespace)::
service.new("alertmanager-main", {app: "alertmanager", alertmanager: "main"}, alertmanagerPort) +
service.mixin.metadata.withNamespace(namespace) +
service.mixin.metadata.withLabels({alertmanager: "main"})
}

19
jsonnet/alertmanager/alertmanager-main.libsonnet
View File

@@ -1,19 +0,0 @@
{
new(namespace)::
{
apiVersion: "monitoring.coreos.com/v1",
kind: "Alertmanager",
metadata: {
name: "main",
namespace: namespace,
labels: {
alertmanager: "main",
},
},
spec: {
replicas: 3,
version: "v0.14.0",
serviceAccountName: "alertmanager-main",
},
}
}

7
jsonnet/alertmanager/alertmanager.libsonnet
View File

@@ -1,7 +0,0 @@
{
config:: import "alertmanager-main-secret.libsonnet",
serviceAccount:: import "alertmanager-main-service-account.libsonnet",
service:: import "alertmanager-main-service.libsonnet",
serviceMonitor:: import "alertmanager-main-service-monitor.libsonnet",
alertmanager:: import "alertmanager-main.libsonnet",
}

85
jsonnet/kube-prometheus.libsonnet
View File

@@ -1,85 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local alertmanager = import "alertmanager/alertmanager.libsonnet";
local ksm = import "kube-state-metrics/kube-state-metrics.libsonnet";
local nodeExporter = import "node-exporter/node-exporter.libsonnet";
local po = import "prometheus-operator/prometheus-operator.libsonnet";
local prometheus = import "prometheus/prometheus.libsonnet";
local grafana = import "grafana/grafana.libsonnet";
local alertmanagerConfig = importstr "../assets/alertmanager/alertmanager.yaml";
local ruleFiles = {
"alertmanager.rules.yaml": importstr "../assets/prometheus/rules/alertmanager.rules.yaml",
"etcd3.rules.yaml": importstr "../assets/prometheus/rules/etcd3.rules.yaml",
"general.rules.yaml": importstr "../assets/prometheus/rules/general.rules.yaml",
"kube-controller-manager.rules.yaml": importstr "../assets/prometheus/rules/kube-controller-manager.rules.yaml",
"kube-scheduler.rules.yaml": importstr "../assets/prometheus/rules/kube-scheduler.rules.yaml",
"kube-state-metrics.rules.yaml": importstr "../assets/prometheus/rules/kube-state-metrics.rules.yaml",
"kubelet.rules.yaml": importstr "../assets/prometheus/rules/kubelet.rules.yaml",
"kubernetes.rules.yaml": importstr "../assets/prometheus/rules/kubernetes.rules.yaml",
"node.rules.yaml": importstr "../assets/prometheus/rules/node.rules.yaml",
"prometheus.rules.yaml": importstr "../assets/prometheus/rules/prometheus.rules.yaml",
};
{
new(namespace)::
{
"grafana/grafana-dashboard-definitions.yaml": grafana.dashboardDefinitions.new(namespace),
"grafana/grafana-dashboard-sources.yaml": grafana.dashboardSources.new(namespace),
"grafana/grafana-datasources.yaml": grafana.dashboardDatasources.new(namespace),
"grafana/grafana-deployment.yaml": grafana.deployment.new(namespace),
"grafana/grafana-service-account.yaml": grafana.serviceAccount.new(namespace),
"grafana/grafana-service.yaml": grafana.service.new(namespace),
"alertmanager-main/alertmanager-main-secret.yaml": alertmanager.config.new(namespace, alertmanagerConfig),
"alertmanager-main/alertmanager-main-service-account.yaml": alertmanager.serviceAccount.new(namespace),
"alertmanager-main/alertmanager-main-service.yaml": alertmanager.service.new(namespace),
"alertmanager-main/alertmanager-main-service-monitor.yaml": alertmanager.serviceMonitor.new(namespace),
"alertmanager-main/alertmanager-main.yaml": alertmanager.alertmanager.new(namespace),
"kube-state-metrics/kube-state-metrics-cluster-role-binding.yaml": ksm.clusterRoleBinding.new(namespace),
"kube-state-metrics/kube-state-metrics-cluster-role.yaml": ksm.clusterRole.new(),
"kube-state-metrics/kube-state-metrics-deployment.yaml": ksm.deployment.new(namespace),
"kube-state-metrics/kube-state-metrics-role-binding.yaml": ksm.roleBinding.new(namespace),
"kube-state-metrics/kube-state-metrics-role.yaml": ksm.role.new(namespace),
"kube-state-metrics/kube-state-metrics-service-account.yaml": ksm.serviceAccount.new(namespace),
"kube-state-metrics/kube-state-metrics-service.yaml": ksm.service.new(namespace),
"kube-state-metrics/kube-state-metrics-service-monitor.yaml": ksm.serviceMonitor.new(namespace),
"node-exporter/node-exporter-cluster-role-binding.yaml": nodeExporter.clusterRoleBinding.new(namespace),
"node-exporter/node-exporter-cluster-role.yaml": nodeExporter.clusterRole.new(),
"node-exporter/node-exporter-daemonset.yaml": nodeExporter.daemonset.new(namespace),
"node-exporter/node-exporter-service-account.yaml": nodeExporter.serviceAccount.new(namespace),
"node-exporter/node-exporter-service.yaml": nodeExporter.service.new(namespace),
"node-exporter/node-exporter-service-monitor.yaml": nodeExporter.serviceMonitor.new(namespace),
"prometheus-operator/prometheus-operator-cluster-role-binding.yaml": po.clusterRoleBinding.new(namespace),
"prometheus-operator/prometheus-operator-cluster-role.yaml": po.clusterRole.new(),
"prometheus-operator/prometheus-operator-deployment.yaml": po.deployment.new(namespace),
"prometheus-operator/prometheus-operator-service.yaml": po.service.new(namespace),
"prometheus-operator/prometheus-operator-service-monitor.yaml": po.serviceMonitor.new(namespace),
"prometheus-operator/prometheus-operator-service-account.yaml": po.serviceAccount.new(namespace),
"prometheus-k8s/prometheus-k8s-cluster-role-binding.yaml": prometheus.clusterRoleBinding.new(namespace),
"prometheus-k8s/prometheus-k8s-cluster-role.yaml": prometheus.clusterRole.new(),
"prometheus-k8s/prometheus-k8s-service-account.yaml": prometheus.serviceAccount.new(namespace),
"prometheus-k8s/prometheus-k8s-service.yaml": prometheus.service.new(namespace),
"prometheus-k8s/prometheus-k8s.yaml": prometheus.prometheus.new(namespace),
"prometheus-k8s/prometheus-k8s-rules.yaml": prometheus.rules.new(namespace, ruleFiles),
"prometheus-k8s/prometheus-k8s-role-binding-config.yaml": prometheus.roleBindingConfig.new(namespace),
"prometheus-k8s/prometheus-k8s-role-binding-namespace.yaml": prometheus.roleBindingNamespace.new(namespace),
"prometheus-k8s/prometheus-k8s-role-binding-kube-system.yaml": prometheus.roleBindingKubeSystem.new(namespace),
"prometheus-k8s/prometheus-k8s-role-binding-default.yaml": prometheus.roleBindingDefault.new(namespace),
"prometheus-k8s/prometheus-k8s-role-config.yaml": prometheus.roleConfig.new(namespace),
"prometheus-k8s/prometheus-k8s-role-namespace.yaml": prometheus.roleNamespace.new(namespace),
"prometheus-k8s/prometheus-k8s-role-kube-system.yaml": prometheus.roleKubeSystem.new(),
"prometheus-k8s/prometheus-k8s-role-default.yaml": prometheus.roleDefault.new(),
"prometheus-k8s/prometheus-k8s-service-monitor-apiserver.yaml": prometheus.serviceMonitorApiserver.new(namespace),
"prometheus-k8s/prometheus-k8s-service-monitor-coredns.yaml": prometheus.serviceMonitorCoreDNS.new(namespace),
"prometheus-k8s/prometheus-k8s-service-monitor-kube-controller-manager.yaml": prometheus.serviceMonitorControllerManager.new(namespace),
"prometheus-k8s/prometheus-k8s-service-monitor-kube-scheduler.yaml": prometheus.serviceMonitorScheduler.new(namespace),
"prometheus-k8s/prometheus-k8s-service-monitor-kubelet.yaml": prometheus.serviceMonitorKubelet.new(namespace),
"prometheus-k8s/prometheus-k8s-service-monitor-prometheus.yaml": prometheus.serviceMonitorPrometheus.new(namespace),
}
}

2
jsonnet/kube-prometheus/.gitignore vendored Normal file
View File

@@ -0,0 +1,2 @@
jsonnetfile.lock.json
vendor/

97
jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet Normal file
View File

@@ -0,0 +1,97 @@
local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
local alertmanagerConfig = "\nglobal:\n resolve_timeout: 5m\nroute:\n group_by: ['job']\n group_wait: 30s\n group_interval: 5m\n repeat_interval: 12h\n receiver: 'null'\n routes:\n - match:\n alertname: DeadMansSwitch\n receiver: 'null'\nreceivers:\n- name: 'null'\n";
{
_config+:: {
namespace: 'default',
versions+:: {
alertmanager: 'v0.14.0',
},
imageRepos+:: {
alertmanager: 'quay.io/prometheus/alertmanager',
},
alertmanager+:: {
config: alertmanagerConfig,
replicas: 3,
},
},
alertmanager+:: {
secret:
local secret = k.core.v1.secret;
secret.new('alertmanager-main', { 'alertmanager.yaml': std.base64($._config.alertmanager.config) }) +
secret.mixin.metadata.withNamespace($._config.namespace),
serviceAccount:
local serviceAccount = k.core.v1.serviceAccount;
serviceAccount.new('alertmanager-main') +
serviceAccount.mixin.metadata.withNamespace($._config.namespace),
service:
local service = k.core.v1.service;
local servicePort = k.core.v1.service.mixin.spec.portsType;
local alertmanagerPort = servicePort.newNamed('web', 9093, 'web');
service.new('alertmanager-main', { app: 'alertmanager', alertmanager: 'main' }, alertmanagerPort) +
service.mixin.metadata.withNamespace($._config.namespace) +
service.mixin.metadata.withLabels({ alertmanager: 'main' }),
serviceMonitor:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'alertmanager',
namespace: $._config.namespace,
labels: {
'k8s-app': 'alertmanager',
},
},
spec: {
selector: {
matchLabels: {
alertmanager: 'main',
},
},
namespaceSelector: {
matchNames: [
'monitoring',
],
},
endpoints: [
{
port: 'web',
interval: '30s',
},
],
},
},
alertmanager:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'Alertmanager',
metadata: {
name: 'main',
namespace: $._config.namespace,
labels: {
alertmanager: 'main',
},
},
spec: {
replicas: $._config.alertmanager.replicas,
version: $._config.versions.alertmanager,
baseImage: $._config.imageRepos.alertmanager,
nodeSelector: { 'beta.kubernetes.io/os': 'linux' },
serviceAccountName: 'alertmanager-main',
},
},
},
}

34
jsonnet/kube-prometheus/jsonnetfile.json Normal file
View File

@@ -0,0 +1,34 @@
{
"dependencies": [
{
"name": "ksonnet",
"source": {
"git": {
"remote": "https://github.com/ksonnet/ksonnet-lib",
"subdir": ""
}
},
"version": "master"
},
{
"name": "kubernetes-mixin",
"source": {
"git": {
"remote": "https://github.com/kubernetes-monitoring/kubernetes-mixin",
"subdir": ""
}
},
"version": "master"
},
{
"name": "grafana",
"source": {
"git": {
"remote": "https://github.com/brancz/kubernetes-grafana",
"subdir": "grafana"
}
},
"version": "master"
}
]
}

23
jsonnet/kube-prometheus/kube-prometheus-bootkube.libsonnet Normal file
View File

@@ -0,0 +1,23 @@
local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
local service = k.core.v1.service;
local servicePort = k.core.v1.service.mixin.spec.portsType;
{
prometheus+:: {
kubeControllerManagerPrometheusDiscoveryService:
service.new('kube-controller-manager-prometheus-discovery', { 'k8s-app': 'kube-controller-manager' }, servicePort.newNamed('http-metrics', 10252, 10252)) +
service.mixin.metadata.withNamespace('kube-system') +
service.mixin.metadata.withLabels({ 'k8s-app': 'kube-controller-manager' }) +
service.mixin.spec.withClusterIp('None'),
kubeSchedulerPrometheusDiscoveryService:
service.new('kube-scheduler-prometheus-discovery', { 'k8s-app': 'kube-scheduler' }, servicePort.newNamed('http-metrics', 10251, 10251)) +
service.mixin.metadata.withNamespace('kube-system') +
service.mixin.metadata.withLabels({ 'k8s-app': 'kube-scheduler' }) +
service.mixin.spec.withClusterIp('None'),
kubeDnsPrometheusDiscoveryService:
service.new('kube-dns-prometheus-discovery', { 'k8s-app': 'kube-dns' }, [servicePort.newNamed('http-metrics-skydns', 10055, 10055), servicePort.newNamed('http-metrics-dnsmasq', 10054, 10054)]) +
service.mixin.metadata.withNamespace('kube-system') +
service.mixin.metadata.withLabels({ 'k8s-app': 'kube-dns' }) +
service.mixin.spec.withClusterIp('None'),
},
}

8
jsonnet/kube-prometheus/kube-prometheus-ksonnet.libsonnet Normal file
View File

@@ -0,0 +1,8 @@
local kp = (import 'kube-prometheus/kube-prometheus.libsonnet');
{ ['0prometheus-operator-' + name]: kp.prometheusOperator[name] for name in std.objectFields(kp.prometheusOperator) } +
{ ['node-exporter-' + name]: kp.nodeExporter[name] for name in std.objectFields(kp.nodeExporter) } +
{ ['kube-state-metrics-' + name]: kp.kubeStateMetrics[name] for name in std.objectFields(kp.kubeStateMetrics) } +
{ ['alertmanager-' + name]: kp.alertmanager[name] for name in std.objectFields(kp.alertmanager) } +
{ ['prometheus-' + name]: kp.prometheus[name] for name in std.objectFields(kp.prometheus) } +
{ ['grafana-' + name]: kp.grafana[name] for name in std.objectFields(kp.grafana) }

18
jsonnet/kube-prometheus/kube-prometheus-kubeadm.libsonnet Normal file
View File

@@ -0,0 +1,18 @@
local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
local service = k.core.v1.service;
local servicePort = k.core.v1.service.mixin.spec.portsType;
{
prometheus+: {
kubeControllerManagerPrometheusDiscoveryService:
service.new('kube-controller-manager-prometheus-discovery', { component: 'kube-controller-manager' }, servicePort.newNamed('http-metrics', 10252, 10252)) +
service.mixin.metadata.withNamespace('kube-system') +
service.mixin.metadata.withLabels({ 'k8s-app': 'kube-controller-manager' }) +
service.mixin.spec.withClusterIp('None'),
kubeSchedulerPrometheusDiscoveryService:
service.new('kube-scheduler-prometheus-discovery', { component: 'kube-scheduler' }, servicePort.newNamed('http-metrics', 10251, 10251)) +
service.mixin.metadata.withNamespace('kube-system') +
service.mixin.metadata.withLabels({ 'k8s-app': 'kube-scheduler' }) +
service.mixin.spec.withClusterIp('None'),
},
}

21
jsonnet/kube-prometheus/kube-prometheus-node-ports.libsonnet Normal file
View File

@@ -0,0 +1,21 @@
local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
local service = k.core.v1.service;
local servicePort = k.core.v1.service.mixin.spec.portsType;
{
prometheus+: {
service+:
service.mixin.spec.withPorts(servicePort.newNamed('web', 9090, 'web') + servicePort.withNodePort(30900)) +
service.mixin.spec.withType('NodePort'),
},
alertmanager+: {
service+:
service.mixin.spec.withPorts(servicePort.newNamed('web', 9093, 'web') + servicePort.withNodePort(30903)) +
service.mixin.spec.withType('NodePort'),
},
grafana+: {
service+:
service.mixin.spec.withPorts(servicePort.newNamed('http', 3000, 'http') + servicePort.withNodePort(30902)) +
service.mixin.spec.withType('NodePort'),
},
}

26
jsonnet/kube-prometheus/kube-prometheus.libsonnet Normal file
View File

@@ -0,0 +1,26 @@
local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
(import 'grafana/grafana.libsonnet') +
(import 'kube-state-metrics/kube-state-metrics.libsonnet') +
(import 'node-exporter/node-exporter.libsonnet') +
(import 'alertmanager/alertmanager.libsonnet') +
(import 'prometheus-operator/prometheus-operator.libsonnet') +
(import 'prometheus/prometheus.libsonnet') +
(import 'kubernetes-mixin/mixin.libsonnet') +
{
_config+:: {
kubeStateMetricsSelector: 'job="kube-state-metrics"',
cadvisorSelector: 'job="kubelet"',
nodeExporterSelector: 'job="node-exporter"',
kubeletSelector: 'job="kubelet"',
notKubeDnsSelector: 'job!="kube-dns"',
prometheus+:: {
rules: $.prometheusRules + $.prometheusAlerts,
},
grafana+:: {
dashboards: $.grafanaDashboards,
},
},
}

286
jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet Normal file
View File

@@ -0,0 +1,286 @@
local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
{
_config+:: {
namespace: 'default',
versions+:: {
kubeStateMetrics: 'v1.3.0',
kubeRbacProxy: 'v0.3.0',
addonResizer: '1.0',
},
imageRepos+:: {
kubeStateMetrics: 'quay.io/coreos/kube-state-metrics',
kubeRbacProxy: 'quay.io/coreos/kube-rbac-proxy',
addonResizer: 'quay.io/coreos/addon-resizer',
},
},
kubeStateMetrics+:: {
clusterRoleBinding:
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
clusterRoleBinding.new() +
clusterRoleBinding.mixin.metadata.withName('kube-state-metrics') +
clusterRoleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
clusterRoleBinding.mixin.roleRef.withName('kube-state-metrics') +
clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) +
clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'kube-state-metrics', namespace: $._config.namespace }]),
clusterRole:
local clusterRole = k.rbac.v1.clusterRole;
local policyRule = clusterRole.rulesType;
local coreRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'configmaps',
'secrets',
'nodes',
'pods',
'services',
'resourcequotas',
'replicationcontrollers',
'limitranges',
'persistentvolumeclaims',
'persistentvolumes',
'namespaces',
'endpoints',
]) +
policyRule.withVerbs(['list', 'watch']);
local extensionsRule = policyRule.new() +
policyRule.withApiGroups(['extensions']) +
policyRule.withResources([
'daemonsets',
'deployments',
'replicasets',
]) +
policyRule.withVerbs(['list', 'watch']);
local appsRule = policyRule.new() +
policyRule.withApiGroups(['apps']) +
policyRule.withResources([
'statefulsets',
]) +
policyRule.withVerbs(['list', 'watch']);
local batchRule = policyRule.new() +
policyRule.withApiGroups(['batch']) +
policyRule.withResources([
'cronjobs',
'jobs',
]) +
policyRule.withVerbs(['list', 'watch']);
local autoscalingRule = policyRule.new() +
policyRule.withApiGroups(['autoscaling']) +
policyRule.withResources([
'horizontalpodautoscalers',
]) +
policyRule.withVerbs(['list', 'watch']);
local authenticationRole = policyRule.new() +
policyRule.withApiGroups(['authentication.k8s.io']) +
policyRule.withResources([
'tokenreviews',
]) +
policyRule.withVerbs(['create']);
local authorizationRole = policyRule.new() +
policyRule.withApiGroups(['authorization.k8s.io']) +
policyRule.withResources([
'subjectaccessreviews',
]) +
policyRule.withVerbs(['create']);
local rules = [coreRule, extensionsRule, appsRule, batchRule, autoscalingRule, authenticationRole, authorizationRole];
clusterRole.new() +
clusterRole.mixin.metadata.withName('kube-state-metrics') +
clusterRole.withRules(rules),
deployment:
local deployment = k.apps.v1beta2.deployment;
local container = k.apps.v1beta2.deployment.mixin.spec.template.spec.containersType;
local volume = k.apps.v1beta2.deployment.mixin.spec.template.spec.volumesType;
local containerPort = container.portsType;
local containerVolumeMount = container.volumeMountsType;
local podSelector = deployment.mixin.spec.template.spec.selectorType;
local podLabels = { app: 'kube-state-metrics' };
local proxyClusterMetrics =
container.new('kube-rbac-proxy-main', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) +
container.withArgs([
'--secure-listen-address=:8443',
'--upstream=http://127.0.0.1:8081/',
]) +
container.withPorts(containerPort.newNamed('https-main', 8443)) +
container.mixin.resources.withRequests({ cpu: '10m', memory: '20Mi' }) +
container.mixin.resources.withLimits({ cpu: '20m', memory: '40Mi' });
local proxySelfMetrics =
container.new('kube-rbac-proxy-self', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) +
container.withArgs([
'--secure-listen-address=:9443',
'--upstream=http://127.0.0.1:8082/',
]) +
container.withPorts(containerPort.newNamed('https-self', 9443)) +
container.mixin.resources.withRequests({ cpu: '10m', memory: '20Mi' }) +
container.mixin.resources.withLimits({ cpu: '20m', memory: '40Mi' });
local kubeStateMetrics =
container.new('kube-state-metrics', $._config.imageRepos.kubeStateMetrics + ':' + $._config.versions.kubeStateMetrics) +
container.withArgs([
'--host=127.0.0.1',
'--port=8081',
'--telemetry-host=127.0.0.1',
'--telemetry-port=8082',
]) +
container.mixin.resources.withRequests({ cpu: '102m', memory: '180Mi' }) +
container.mixin.resources.withLimits({ cpu: '102m', memory: '180Mi' });
local addonResizer =
container.new('addon-resizer', $._config.imageRepos.addonResizer + ':' + $._config.versions.addonResizer) +
container.withCommand([
'/pod_nanny',
'--container=kube-state-metrics',
'--cpu=100m',
'--extra-cpu=2m',
'--memory=150Mi',
'--extra-memory=30Mi',
'--threshold=5',
'--deployment=kube-state-metrics',
]) +
container.withEnv([
{
name: 'MY_POD_NAME',
valueFrom: {
fieldRef: { apiVersion: 'v1', fieldPath: 'metadata.name' },
},
},
{
name: 'MY_POD_NAMESPACE',
valueFrom: {
fieldRef: { apiVersion: 'v1', fieldPath: 'metadata.namespace' },
},
},
]) +
container.mixin.resources.withRequests({ cpu: '10m', memory: '30Mi' }) +
container.mixin.resources.withLimits({ cpu: '10m', memory: '30Mi' });
local c = [proxyClusterMetrics, proxySelfMetrics, kubeStateMetrics, addonResizer];
deployment.new('kube-state-metrics', 1, c, podLabels) +
deployment.mixin.metadata.withNamespace($._config.namespace) +
deployment.mixin.metadata.withLabels(podLabels) +
deployment.mixin.spec.selector.withMatchLabels(podLabels) +
deployment.mixin.spec.template.spec.withNodeSelector({ 'beta.kubernetes.io/os': 'linux' }) +
deployment.mixin.spec.template.spec.securityContext.withRunAsNonRoot(true) +
deployment.mixin.spec.template.spec.securityContext.withRunAsUser(65534) +
deployment.mixin.spec.template.spec.withServiceAccountName('kube-state-metrics'),
roleBinding:
local roleBinding = k.rbac.v1.roleBinding;
roleBinding.new() +
roleBinding.mixin.metadata.withName('kube-state-metrics') +
roleBinding.mixin.metadata.withNamespace($._config.namespace) +
roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
roleBinding.mixin.roleRef.withName('kube-state-metrics') +
roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'kube-state-metrics' }]),
role:
local role = k.rbac.v1.role;
local policyRule = role.rulesType;
local coreRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'pods',
]) +
policyRule.withVerbs(['get']);
local extensionsRule = policyRule.new() +
policyRule.withApiGroups(['extensions']) +
policyRule.withResources([
'deployments',
]) +
policyRule.withVerbs(['get', 'update']) +
policyRule.withResourceNames(['kube-state-metrics']);
local rules = [coreRule, extensionsRule];
role.new() +
role.mixin.metadata.withName('kube-state-metrics') +
role.mixin.metadata.withNamespace($._config.namespace) +
role.withRules(rules),
serviceAccount:
local serviceAccount = k.core.v1.serviceAccount;
serviceAccount.new('kube-state-metrics') +
serviceAccount.mixin.metadata.withNamespace($._config.namespace),
service:
local service = k.core.v1.service;
local servicePort = k.core.v1.service.mixin.spec.portsType;
local ksmServicePortMain = servicePort.newNamed('https-main', 8443, 'https-main');
local ksmServicePortSelf = servicePort.newNamed('https-self', 9443, 'https-self');
service.new('kube-state-metrics', $.kubeStateMetrics.deployment.spec.selector.matchLabels, [ksmServicePortMain, ksmServicePortSelf]) +
service.mixin.metadata.withNamespace($._config.namespace) +
service.mixin.metadata.withLabels({ 'k8s-app': 'kube-state-metrics' }) +
service.mixin.spec.withClusterIp('None'),
serviceMonitor:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'kube-state-metrics',
namespace: $._config.namespace,
labels: {
'k8s-app': 'kube-state-metrics',
},
},
spec: {
jobLabel: 'k8s-app',
selector: {
matchLabels: {
'k8s-app': 'kube-state-metrics',
},
},
namespaceSelector: {
matchNames: [
'monitoring',
],
},
endpoints: [
{
port: 'https-main',
scheme: 'https',
interval: '30s',
honorLabels: true,
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
tlsConfig: {
insecureSkipVerify: true,
},
},
{
port: 'https-self',
scheme: 'https',
interval: '30s',
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
tlsConfig: {
insecureSkipVerify: true,
},
},
],
},
},
},
}

167
jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet Normal file
View File

@@ -0,0 +1,167 @@
local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
{
_config+:: {
namespace: 'default',
versions+:: {
nodeExporter: 'v0.15.2',
kubeRbacProxy: 'v0.3.0',
},
imageRepos+:: {
nodeExporter: 'quay.io/prometheus/node-exporter',
kubeRbacProxy: 'quay.io/coreos/kube-rbac-proxy',
},
},
nodeExporter+:: {
clusterRoleBinding:
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
clusterRoleBinding.new() +
clusterRoleBinding.mixin.metadata.withName('node-exporter') +
clusterRoleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
clusterRoleBinding.mixin.roleRef.withName('node-exporter') +
clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) +
clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'node-exporter', namespace: $._config.namespace }]),
clusterRole:
local clusterRole = k.rbac.v1.clusterRole;
local policyRule = clusterRole.rulesType;
local authenticationRole = policyRule.new() +
policyRule.withApiGroups(['authentication.k8s.io']) +
policyRule.withResources([
'tokenreviews',
]) +
policyRule.withVerbs(['create']);
local authorizationRole = policyRule.new() +
policyRule.withApiGroups(['authorization.k8s.io']) +
policyRule.withResources([
'subjectaccessreviews',
]) +
policyRule.withVerbs(['create']);
local rules = [authenticationRole, authorizationRole];
clusterRole.new() +
clusterRole.mixin.metadata.withName('node-exporter') +
clusterRole.withRules(rules),
daemonset:
local daemonset = k.apps.v1beta2.daemonSet;
local container = daemonset.mixin.spec.template.spec.containersType;
local volume = daemonset.mixin.spec.template.spec.volumesType;
local containerPort = container.portsType;
local containerVolumeMount = container.volumeMountsType;
local podSelector = daemonset.mixin.spec.template.spec.selectorType;
local toleration = daemonset.mixin.spec.template.spec.tolerationsType;
local podLabels = { app: 'node-exporter' };
local masterToleration = toleration.new() +
toleration.withEffect('NoSchedule') +
toleration.withKey('node-role.kubernetes.io/master');
local procVolumeName = 'proc';
local procVolume = volume.fromHostPath(procVolumeName, '/proc');
local procVolumeMount = containerVolumeMount.new(procVolumeName, '/host/proc');
local sysVolumeName = 'sys';
local sysVolume = volume.fromHostPath(sysVolumeName, '/sys');
local sysVolumeMount = containerVolumeMount.new(sysVolumeName, '/host/sys');
local nodeExporter =
container.new('node-exporter', $._config.imageRepos.nodeExporter + ':' + $._config.versions.nodeExporter) +
container.withArgs([
'--web.listen-address=127.0.0.1:9101',
'--path.procfs=/host/proc',
'--path.sysfs=/host/sys',
]) +
container.withVolumeMounts([procVolumeMount, sysVolumeMount]) +
container.mixin.resources.withRequests({ cpu: '102m', memory: '180Mi' }) +
container.mixin.resources.withLimits({ cpu: '102m', memory: '180Mi' });
local proxy =
container.new('kube-rbac-proxy', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) +
container.withArgs([
'--secure-listen-address=:9100',
'--upstream=http://127.0.0.1:9101/',
]) +
container.withPorts(containerPort.newNamed('https', 9100)) +
container.mixin.resources.withRequests({ cpu: '10m', memory: '20Mi' }) +
container.mixin.resources.withLimits({ cpu: '20m', memory: '40Mi' });
local c = [nodeExporter, proxy];
daemonset.new() +
daemonset.mixin.metadata.withName('node-exporter') +
daemonset.mixin.metadata.withNamespace($._config.namespace) +
daemonset.mixin.metadata.withLabels(podLabels) +
daemonset.mixin.spec.selector.withMatchLabels(podLabels) +
daemonset.mixin.spec.template.metadata.withLabels(podLabels) +
daemonset.mixin.spec.template.spec.withTolerations([masterToleration]) +
daemonset.mixin.spec.template.spec.withNodeSelector({ 'beta.kubernetes.io/os': 'linux' }) +
daemonset.mixin.spec.template.spec.withContainers(c) +
daemonset.mixin.spec.template.spec.withVolumes([procVolume, sysVolume]) +
daemonset.mixin.spec.template.spec.securityContext.withRunAsNonRoot(true) +
daemonset.mixin.spec.template.spec.securityContext.withRunAsUser(65534) +
daemonset.mixin.spec.template.spec.withServiceAccountName('node-exporter'),
serviceAccount:
local serviceAccount = k.core.v1.serviceAccount;
serviceAccount.new('node-exporter') +
serviceAccount.mixin.metadata.withNamespace($._config.namespace),
serviceMonitor:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'node-exporter',
namespace: $._config.namespace,
labels: {
'k8s-app': 'node-exporter',
},
},
spec: {
jobLabel: 'k8s-app',
selector: {
matchLabels: {
'k8s-app': 'node-exporter',
},
},
namespaceSelector: {
matchNames: [
'monitoring',
],
},
endpoints: [
{
port: 'https',
scheme: 'https',
interval: '30s',
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
tlsConfig: {
insecureSkipVerify: true,
},
},
],
},
},
service:
local service = k.core.v1.service;
local servicePort = k.core.v1.service.mixin.spec.portsType;
local nodeExporterPort = servicePort.newNamed('https', 9100, 'https');
service.new('node-exporter', $.nodeExporter.daemonset.spec.selector.matchLabels, nodeExporterPort) +
service.mixin.metadata.withNamespace($._config.namespace) +
service.mixin.metadata.withLabels({ 'k8s-app': 'node-exporter' }) +
service.mixin.spec.withClusterIp('None'),
},
}

1
jsonnet/kube-prometheus/prometheus-operator/alertmanager-crd.libsonnet Normal file
View File

File diff suppressed because one or more lines are too long

1
jsonnet/kube-prometheus/prometheus-operator/prometheus-crd.libsonnet Normal file
View File

File diff suppressed because one or more lines are too long

152
jsonnet/kube-prometheus/prometheus-operator/prometheus-operator.libsonnet Normal file
View File

@@ -0,0 +1,152 @@
local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
{
_config+:: {
namespace: 'default',
versions+:: {
prometheusOperator: 'v0.19.0',
},
imageRepos+:: {
prometheusOperator: 'quay.io/coreos/prometheus-operator',
},
},
prometheusOperator+:: {
// Prefixing with 0 to ensure these manifests are listed and therefore created first.
'0alertmanagerCustomResourceDefinition': import 'alertmanager-crd.libsonnet',
'0prometheusCustomResourceDefinition': import 'prometheus-crd.libsonnet',
'0servicemonitorCustomResourceDefinition': import 'servicemonitor-crd.libsonnet',
clusterRoleBinding:
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
clusterRoleBinding.new() +
clusterRoleBinding.mixin.metadata.withName('prometheus-operator') +
clusterRoleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
clusterRoleBinding.mixin.roleRef.withName('prometheus-operator') +
clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) +
clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-operator', namespace: $._config.namespace }]),
clusterRole:
local clusterRole = k.rbac.v1.clusterRole;
local policyRule = clusterRole.rulesType;
local extensionsRule = policyRule.new() +
policyRule.withApiGroups(['extensions']) +
policyRule.withResources([
'thirdpartyresources',
]) +
policyRule.withVerbs(['*']);
local apiExtensionsRule = policyRule.new() +
policyRule.withApiGroups(['apiextensions.k8s.io']) +
policyRule.withResources([
'customresourcedefinitions',
]) +
policyRule.withVerbs(['*']);
local monitoringRule = policyRule.new() +
policyRule.withApiGroups(['monitoring.coreos.com']) +
policyRule.withResources([
'alertmanagers',
'prometheuses',
'prometheuses/finalizers',
'alertmanagers/finalizers',
'servicemonitors',
]) +
policyRule.withVerbs(['*']);
local appsRule = policyRule.new() +
policyRule.withApiGroups(['apps']) +
policyRule.withResources([
'statefulsets',
]) +
policyRule.withVerbs(['*']);
local coreRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'configmaps',
'secrets',
]) +
policyRule.withVerbs(['*']);
local podRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'pods',
]) +
policyRule.withVerbs(['list', 'delete']);
local routingRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'services',
'endpoints',
]) +
policyRule.withVerbs(['get', 'create', 'update']);
local nodeRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'nodes',
]) +
policyRule.withVerbs(['list', 'watch']);
local namespaceRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'namespaces',
]) +
policyRule.withVerbs(['list']);
local rules = [extensionsRule, apiExtensionsRule, monitoringRule, appsRule, coreRule, podRule, routingRule, nodeRule, namespaceRule];
clusterRole.new() +
clusterRole.mixin.metadata.withName('prometheus-operator') +
clusterRole.withRules(rules),
deployment:
local deployment = k.apps.v1beta2.deployment;
local container = k.apps.v1beta2.deployment.mixin.spec.template.spec.containersType;
local containerPort = container.portsType;
local targetPort = 8080;
local podLabels = { 'k8s-app': 'prometheus-operator' };
local operatorContainer =
container.new('prometheus-operator', $._config.imageRepos.prometheusOperator + ':' + $._config.versions.prometheusOperator) +
container.withPorts(containerPort.newNamed('http', targetPort)) +
container.withArgs(['--kubelet-service=kube-system/kubelet', '--config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1']) +
container.mixin.resources.withRequests({ cpu: '100m', memory: '50Mi' }) +
container.mixin.resources.withLimits({ cpu: '200m', memory: '100Mi' });
deployment.new('prometheus-operator', 1, operatorContainer, podLabels) +
deployment.mixin.metadata.withNamespace($._config.namespace) +
deployment.mixin.metadata.withLabels(podLabels) +
deployment.mixin.spec.selector.withMatchLabels(podLabels) +
deployment.mixin.spec.template.spec.withNodeSelector({ 'beta.kubernetes.io/os': 'linux' }) +
deployment.mixin.spec.template.spec.securityContext.withRunAsNonRoot(true) +
deployment.mixin.spec.template.spec.securityContext.withRunAsUser(65534) +
deployment.mixin.spec.template.spec.withServiceAccountName('prometheus-operator'),
serviceAccount:
local serviceAccount = k.core.v1.serviceAccount;
serviceAccount.new('prometheus-operator') +
serviceAccount.mixin.metadata.withNamespace($._config.namespace),
service:
local service = k.core.v1.service;
local servicePort = k.core.v1.service.mixin.spec.portsType;
local poServicePort = servicePort.newNamed('http', 8080, 'http');
service.new('prometheus-operator', $.prometheusOperator.deployment.spec.selector.matchLabels, [poServicePort]) +
service.mixin.metadata.withLabels({ 'k8s-app': 'prometheus-operator' }) +
service.mixin.metadata.withNamespace($._config.namespace) +
service.mixin.spec.withClusterIp('None'),
},
}

1
jsonnet/kube-prometheus/prometheus-operator/servicemonitor-crd.libsonnet Normal file
View File

File diff suppressed because one or more lines are too long

454
jsonnet/kube-prometheus/prometheus/prometheus.libsonnet Normal file
View File

@@ -0,0 +1,454 @@
local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
{
_config+:: {
namespace: 'default',
versions+:: {
prometheus: 'v2.2.1',
},
imageRepos+:: {
prometheus: 'quay.io/prometheus/prometheus',
},
prometheus+:: {
replicas: 2,
rules: {},
},
},
prometheus+:: {
serviceAccount:
local serviceAccount = k.core.v1.serviceAccount;
serviceAccount.new('prometheus-k8s') +
serviceAccount.mixin.metadata.withNamespace($._config.namespace),
service:
local service = k.core.v1.service;
local servicePort = k.core.v1.service.mixin.spec.portsType;
local prometheusPort = servicePort.newNamed('web', 9090, 'web');
service.new('prometheus-k8s', { app: 'prometheus', prometheus: 'k8s' }, prometheusPort) +
service.mixin.metadata.withNamespace($._config.namespace) +
service.mixin.metadata.withLabels({ prometheus: 'k8s' }),
rules:
local configMap = k.core.v1.configMap;
configMap.new('prometheus-k8s-rules', { 'all.rules.yaml': std.manifestYamlDoc($._config.prometheus.rules) }) +
configMap.mixin.metadata.withLabels({ role: 'alert-rules', prometheus: 'k8s' }) +
configMap.mixin.metadata.withNamespace($._config.namespace),
roleBindingDefault:
local roleBinding = k.rbac.v1.roleBinding;
roleBinding.new() +
roleBinding.mixin.metadata.withName('prometheus-k8s') +
roleBinding.mixin.metadata.withNamespace('default') +
roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
roleBinding.mixin.roleRef.withName('prometheus-k8s') +
roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-k8s', namespace: $._config.namespace }]),
clusterRole:
local clusterRole = k.rbac.v1.clusterRole;
local policyRule = clusterRole.rulesType;
local nodeMetricsRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources(['nodes/metrics']) +
policyRule.withVerbs(['get']);
local metricsRule = policyRule.new() +
policyRule.withNonResourceUrls('/metrics') +
policyRule.withVerbs(['get']);
local rules = [nodeMetricsRule, metricsRule];
clusterRole.new() +
clusterRole.mixin.metadata.withName('prometheus-k8s') +
clusterRole.withRules(rules),
roleConfig:
local role = k.rbac.v1.role;
local policyRule = role.rulesType;
local configmapRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'configmaps',
]) +
policyRule.withVerbs(['get']);
role.new() +
role.mixin.metadata.withName('prometheus-k8s-config') +
role.mixin.metadata.withNamespace($._config.namespace) +
role.withRules(configmapRule),
roleBindingConfig:
local roleBinding = k.rbac.v1.roleBinding;
roleBinding.new() +
roleBinding.mixin.metadata.withName('prometheus-k8s-config') +
roleBinding.mixin.metadata.withNamespace($._config.namespace) +
roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
roleBinding.mixin.roleRef.withName('prometheus-k8s-config') +
roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-k8s', namespace: $._config.namespace }]),
roleBindingNamespace:
local roleBinding = k.rbac.v1.roleBinding;
roleBinding.new() +
roleBinding.mixin.metadata.withName('prometheus-k8s') +
roleBinding.mixin.metadata.withNamespace($._config.namespace) +
roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
roleBinding.mixin.roleRef.withName('prometheus-k8s') +
roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-k8s', namespace: $._config.namespace }]),
clusterRoleBinding:
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
clusterRoleBinding.new() +
clusterRoleBinding.mixin.metadata.withName('prometheus-k8s') +
clusterRoleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
clusterRoleBinding.mixin.roleRef.withName('prometheus-k8s') +
clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) +
clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-k8s', namespace: $._config.namespace }]),
roleKubeSystem:
local role = k.rbac.v1.role;
local policyRule = role.rulesType;
local coreRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'nodes',
'services',
'endpoints',
'pods',
]) +
policyRule.withVerbs(['get', 'list', 'watch']);
role.new() +
role.mixin.metadata.withName('prometheus-k8s') +
role.mixin.metadata.withNamespace('kube-system') +
role.withRules(coreRule),
roleDefault:
local role = k.rbac.v1.role;
local policyRule = role.rulesType;
local coreRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'nodes',
'services',
'endpoints',
'pods',
]) +
policyRule.withVerbs(['get', 'list', 'watch']);
role.new() +
role.mixin.metadata.withName('prometheus-k8s') +
role.mixin.metadata.withNamespace('default') +
role.withRules(coreRule),
roleBindingKubeSystem:
local roleBinding = k.rbac.v1.roleBinding;
roleBinding.new() +
roleBinding.mixin.metadata.withName('prometheus-k8s') +
roleBinding.mixin.metadata.withNamespace('kube-system') +
roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
roleBinding.mixin.roleRef.withName('prometheus-k8s') +
roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-k8s', namespace: $._config.namespace }]),
roleNamespace:
local role = k.rbac.v1.role;
local policyRule = role.rulesType;
local coreRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'nodes',
'services',
'endpoints',
'pods',
]) +
policyRule.withVerbs(['get', 'list', 'watch']);
role.new() +
role.mixin.metadata.withName('prometheus-k8s') +
role.mixin.metadata.withNamespace($._config.namespace) +
role.withRules(coreRule),
prometheus:
local container = k.core.v1.pod.mixin.spec.containersType;
local resourceRequirements = container.mixin.resourcesType;
local selector = k.apps.v1beta2.deployment.mixin.spec.selectorType;
local resources = resourceRequirements.new() +
resourceRequirements.withRequests({ memory: '400Mi' });
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'Prometheus',
metadata: {
name: 'k8s',
namespace: $._config.namespace,
labels: {
prometheus: 'k8s',
},
},
spec: {
replicas: $._config.prometheus.replicas,
version: $._config.versions.prometheus,
baseImage: $._config.imageRepos.prometheus,
serviceAccountName: 'prometheus-k8s',
serviceMonitorSelector: selector.withMatchExpressions({ key: 'k8s-app', operator: 'Exists' }),
nodeSelector: { 'beta.kubernetes.io/os': 'linux' },
ruleSelector: selector.withMatchLabels({
role: 'alert-rules',
prometheus: 'k8s',
}),
resources: resources,
alerting: {
alertmanagers: [
{
namespace: $._config.namespace,
name: 'alertmanager-main',
port: 'web',
},
],
},
},
},
serviceMonitorPrometheus:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'prometheus',
namespace: $._config.namespace,
labels: {
'k8s-app': 'prometheus',
},
},
spec: {
selector: {
matchLabels: {
prometheus: 'k8s',
},
},
namespaceSelector: {
matchNames: [
'monitoring',
],
},
endpoints: [
{
port: 'web',
interval: '30s',
},
],
},
},
serviceMonitorPrometheusOperator:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'prometheus-operator',
namespace: $._config.namespace,
labels: {
'k8s-app': 'prometheus-operator',
},
},
spec: {
endpoints: [
{
port: 'http',
},
],
selector: {
matchLabels: {
'k8s-app': 'prometheus-operator',
},
},
},
},
serviceMonitorKubeScheduler:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'kube-scheduler',
namespace: $._config.namespace,
labels: {
'k8s-app': 'kube-scheduler',
},
},
spec: {
jobLabel: 'k8s-app',
endpoints: [
{
port: 'http-metrics',
interval: '30s',
},
],
selector: {
matchLabels: {
'k8s-app': 'kube-scheduler',
},
},
namespaceSelector: {
matchNames: [
'kube-system',
],
},
},
},
serviceMonitorKubelet:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'kubelet',
namespace: $._config.namespace,
labels: {
'k8s-app': 'kubelet',
},
},
spec: {
jobLabel: 'k8s-app',
endpoints: [
{
port: 'https-metrics',
scheme: 'https',
interval: '30s',
tlsConfig: {
insecureSkipVerify: true,
},
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
},
{
port: 'https-metrics',
scheme: 'https',
path: '/metrics/cadvisor',
interval: '30s',
honorLabels: true,
tlsConfig: {
insecureSkipVerify: true,
},
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
},
],
selector: {
matchLabels: {
'k8s-app': 'kubelet',
},
},
namespaceSelector: {
matchNames: [
'kube-system',
],
},
},
},
serviceMonitorKubeControllerManager:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'kube-controller-manager',
namespace: $._config.namespace,
labels: {
'k8s-app': 'kube-controller-manager',
},
},
spec: {
jobLabel: 'k8s-app',
endpoints: [
{
port: 'http-metrics',
interval: '30s',
},
],
selector: {
matchLabels: {
'k8s-app': 'kube-controller-manager',
},
},
namespaceSelector: {
matchNames: [
'kube-system',
],
},
},
},
serviceMonitorApiserver:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'kube-apiserver',
namespace: $._config.namespace,
labels: {
'k8s-app': 'apiserver',
},
},
spec: {
jobLabel: 'component',
selector: {
matchLabels: {
component: 'apiserver',
provider: 'kubernetes',
},
},
namespaceSelector: {
matchNames: [
'default',
],
},
endpoints: [
{
port: 'https',
interval: '30s',
scheme: 'https',
tlsConfig: {
caFile: '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt',
serverName: 'kubernetes',
},
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
},
],
},
},
serviceMonitorCoreDNS:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'coredns',
namespace: $._config.namespace,
labels: {
'k8s-app': 'coredns',
},
},
spec: {
jobLabel: 'k8s-app',
selector: {
matchLabels: {
'k8s-app': 'coredns',
component: 'metrics',
},
},
namespaceSelector: {
matchNames: [
'kube-system',
],
},
endpoints: [
{
port: 'http-metrics',
interval: '15s',
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
},
],
},
},
},
}

12
jsonnet/kube-state-metrics/kube-state-metrics-cluster-role-binding.libsonnet
View File

@@ -1,12 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
{
new(namespace)::
clusterRoleBinding.new() +
clusterRoleBinding.mixin.metadata.withName("kube-state-metrics") +
clusterRoleBinding.mixin.roleRef.withApiGroup("rbac.authorization.k8s.io") +
clusterRoleBinding.mixin.roleRef.withName("kube-state-metrics") +
clusterRoleBinding.mixin.roleRef.mixinInstance({kind: "ClusterRole"}) +
clusterRoleBinding.withSubjects([{kind: "ServiceAccount", name: "kube-state-metrics", namespace: namespace}])
}

75
jsonnet/kube-state-metrics/kube-state-metrics-cluster-role.libsonnet
View File

@@ -1,75 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local clusterRole = k.rbac.v1.clusterRole;
local policyRule = clusterRole.rulesType;
local coreRule = policyRule.new() +
policyRule.withApiGroups([""]) +
policyRule.withResources([
"configmaps",
"secrets",
"nodes",
"pods",
"services",
"resourcequotas",
"replicationcontrollers",
"limitranges",
"persistentvolumeclaims",
"persistentvolumes",
"namespaces",
"endpoints",
]) +
policyRule.withVerbs(["list", "watch"]);
local extensionsRule = policyRule.new() +
policyRule.withApiGroups(["extensions"]) +
policyRule.withResources([
"daemonsets",
"deployments",
"replicasets",
]) +
policyRule.withVerbs(["list", "watch"]);
local appsRule = policyRule.new() +
policyRule.withApiGroups(["apps"]) +
policyRule.withResources([
"statefulsets",
]) +
policyRule.withVerbs(["list", "watch"]);
local batchRule = policyRule.new() +
policyRule.withApiGroups(["batch"]) +
policyRule.withResources([
"cronjobs",
"jobs",
]) +
policyRule.withVerbs(["list", "watch"]);
local autoscalingRule = policyRule.new() +
policyRule.withApiGroups(["autoscaling"]) +
policyRule.withResources([
"horizontalpodautoscalers",
]) +
policyRule.withVerbs(["list", "watch"]);
local authenticationRole = policyRule.new() +
policyRule.withApiGroups(["authentication.k8s.io"]) +
policyRule.withResources([
"tokenreviews",
]) +
policyRule.withVerbs(["create"]);
local authorizationRole = policyRule.new() +
policyRule.withApiGroups(["authorization.k8s.io"]) +
policyRule.withResources([
"subjectaccessreviews",
]) +
policyRule.withVerbs(["create"]);
local rules = [coreRule, extensionsRule, appsRule, batchRule, autoscalingRule, authenticationRole, authorizationRole];
{
new()::
clusterRole.new() +
clusterRole.mixin.metadata.withName("kube-state-metrics") +
clusterRole.withRules(rules)
}

86
jsonnet/kube-state-metrics/kube-state-metrics-deployment.libsonnet
View File

@@ -1,86 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local deployment = k.apps.v1beta2.deployment;
local deployment = k.apps.v1beta2.deployment;
local container = k.apps.v1beta2.deployment.mixin.spec.template.spec.containersType;
local volume = k.apps.v1beta2.deployment.mixin.spec.template.spec.volumesType;
local containerPort = container.portsType;
local containerVolumeMount = container.volumeMountsType;
local podSelector = deployment.mixin.spec.template.spec.selectorType;
local kubeStateMetricsVersion = "v1.3.0";
local kubeRbacProxyVersion = "v0.3.0";
local addonResizerVersion = "1.0";
local podLabels = {"app": "kube-state-metrics"};
local proxyClusterMetrics =
container.new("kube-rbac-proxy-main", "quay.io/coreos/kube-rbac-proxy:" + kubeRbacProxyVersion) +
container.withArgs([
"--secure-listen-address=:8443",
"--upstream=http://127.0.0.1:8081/",
]) +
container.withPorts(containerPort.newNamed("https-main", 8443)) +
container.mixin.resources.withRequests({cpu: "10m", memory: "20Mi"}) +
container.mixin.resources.withLimits({cpu: "20m", memory: "40Mi"});
local proxySelfMetrics =
container.new("kube-rbac-proxy-self", "quay.io/coreos/kube-rbac-proxy:" + kubeRbacProxyVersion) +
container.withArgs([
"--secure-listen-address=:9443",
"--upstream=http://127.0.0.1:8082/",
]) +
container.withPorts(containerPort.newNamed("https-self", 9443)) +
container.mixin.resources.withRequests({cpu: "10m", memory: "20Mi"}) +
container.mixin.resources.withLimits({cpu: "20m", memory: "40Mi"});
local kubeStateMetrics =
container.new("kube-state-metrics", "quay.io/coreos/kube-state-metrics:" + kubeStateMetricsVersion) +
container.withArgs([
"--host=127.0.0.1",
"--port=8081",
"--telemetry-host=127.0.0.1",
"--telemetry-port=8082",
]) +
container.mixin.resources.withRequests({cpu: "102m", memory: "180Mi"}) +
container.mixin.resources.withLimits({cpu: "102m", memory: "180Mi"});
local addonResizer =
container.new("addon-resizer", "quay.io/coreos/addon-resizer:" + addonResizerVersion) +
container.withCommand([
"/pod_nanny",
"--container=kube-state-metrics",
"--cpu=100m",
"--extra-cpu=2m",
"--memory=150Mi",
"--extra-memory=30Mi",
"--threshold=5",
"--deployment=kube-state-metrics",
]) +
container.withEnv([
{
name: "MY_POD_NAME",
valueFrom: {
fieldRef: {apiVersion: "v1", fieldPath: "metadata.name"}
}
}, {
name: "MY_POD_NAMESPACE",
valueFrom: {
fieldRef: {apiVersion: "v1", fieldPath: "metadata.namespace"}
}
}
]) +
container.mixin.resources.withRequests({cpu: "10m", memory: "30Mi"}) +
container.mixin.resources.withLimits({cpu: "10m", memory: "30Mi"});
local c = [proxyClusterMetrics, proxySelfMetrics, kubeStateMetrics, addonResizer];
{
new(namespace)::
deployment.new("kube-state-metrics", 1, c, podLabels) +
deployment.mixin.metadata.withNamespace(namespace) +
deployment.mixin.metadata.withLabels(podLabels) +
deployment.mixin.spec.selector.withMatchLabels(podLabels) +
deployment.mixin.spec.template.spec.securityContext.withRunAsNonRoot(true) +
deployment.mixin.spec.template.spec.securityContext.withRunAsUser(65534) +
deployment.mixin.spec.template.spec.withServiceAccountName("kube-state-metrics")
}

13
jsonnet/kube-state-metrics/kube-state-metrics-role-binding.libsonnet
View File

@@ -1,13 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local roleBinding = k.rbac.v1.roleBinding;
{
new(namespace)::
roleBinding.new() +
roleBinding.mixin.metadata.withName("kube-state-metrics") +
roleBinding.mixin.metadata.withNamespace(namespace) +
roleBinding.mixin.roleRef.withApiGroup("rbac.authorization.k8s.io") +
roleBinding.mixin.roleRef.withName("kube-state-metrics") +
roleBinding.mixin.roleRef.mixinInstance({kind: "Role"}) +
roleBinding.withSubjects([{kind: "ServiceAccount", name: "kube-state-metrics"}])
}

28
jsonnet/kube-state-metrics/kube-state-metrics-role.libsonnet
View File

@@ -1,28 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local role = k.rbac.v1.role;
local policyRule = role.rulesType;
local coreRule = policyRule.new() +
policyRule.withApiGroups([""]) +
policyRule.withResources([
"pods",
]) +
policyRule.withVerbs(["get"]);
local extensionsRule = policyRule.new() +
policyRule.withApiGroups(["extensions"]) +
policyRule.withResources([
"deployments",
]) +
policyRule.withVerbs(["get", "update"]) +
policyRule.withResourceNames(["kube-state-metrics"]);
local rules = [coreRule, extensionsRule];
{
new(namespace)::
role.new() +
role.mixin.metadata.withName("kube-state-metrics") +
role.mixin.metadata.withNamespace(namespace) +
role.withRules(rules)
}

8
jsonnet/kube-state-metrics/kube-state-metrics-service-account.libsonnet
View File

@@ -1,8 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local serviceAccount = k.core.v1.serviceAccount;
{
new(namespace)::
serviceAccount.new("kube-state-metrics") +
serviceAccount.mixin.metadata.withNamespace(namespace)
}

48
jsonnet/kube-state-metrics/kube-state-metrics-service-monitor.libsonnet
View File

@@ -1,48 +0,0 @@
{
new(namespace)::
{
"apiVersion": "monitoring.coreos.com/v1",
"kind": "ServiceMonitor",
"metadata": {
"name": "kube-state-metrics",
"namespace": namespace,
"labels": {
"k8s-app": "kube-state-metrics"
}
},
"spec": {
"jobLabel": "k8s-app",
"selector": {
"matchLabels": {
"k8s-app": "kube-state-metrics"
}
},
"namespaceSelector": {
"matchNames": [
"monitoring"
]
},
"endpoints": [
{
"port": "https-main",
"scheme": "https",
"interval": "30s",
"honorLabels": true,
"bearerTokenFile": "/var/run/secrets/kubernetes.io/serviceaccount/token",
"tlsConfig": {
"insecureSkipVerify": true
}
},
{
"port": "https-self",
"scheme": "https",
"interval": "30s",
"bearerTokenFile": "/var/run/secrets/kubernetes.io/serviceaccount/token",
"tlsConfig": {
"insecureSkipVerify": true
}
}
]
}
}
}

15
jsonnet/kube-state-metrics/kube-state-metrics-service.libsonnet
View File

@@ -1,15 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local service = k.core.v1.service;
local servicePort = k.core.v1.service.mixin.spec.portsType;
local ksmDeployment = import "kube-state-metrics-deployment.libsonnet";
local ksmServicePortMain = servicePort.newNamed("https-main", 8443, "https-main");
local ksmServicePortSelf = servicePort.newNamed("https-self", 9443, "https-self");
{
new(namespace)::
service.new("kube-state-metrics", ksmDeployment.new(namespace).spec.selector.matchLabels, [ksmServicePortMain, ksmServicePortSelf]) +
service.mixin.metadata.withNamespace(namespace) +
service.mixin.metadata.withLabels({"k8s-app": "kube-state-metrics"})
}

10
jsonnet/kube-state-metrics/kube-state-metrics.libsonnet
View File

@@ -1,10 +0,0 @@
{
clusterRoleBinding:: import "kube-state-metrics-cluster-role-binding.libsonnet",
clusterRole:: import "kube-state-metrics-cluster-role.libsonnet",
deployment:: import "kube-state-metrics-deployment.libsonnet",
roleBinding:: import "kube-state-metrics-role-binding.libsonnet",
role:: import "kube-state-metrics-role.libsonnet",
serviceAccount:: import "kube-state-metrics-service-account.libsonnet",
service:: import "kube-state-metrics-service.libsonnet",
serviceMonitor:: import "kube-state-metrics-service-monitor.libsonnet",
}

12
jsonnet/node-exporter/node-exporter-cluster-role-binding.libsonnet
View File

@@ -1,12 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
{
new(namespace)::
clusterRoleBinding.new() +
clusterRoleBinding.mixin.metadata.withName("node-exporter") +
clusterRoleBinding.mixin.roleRef.withApiGroup("rbac.authorization.k8s.io") +
clusterRoleBinding.mixin.roleRef.withName("node-exporter") +
clusterRoleBinding.mixin.roleRef.mixinInstance({kind: "ClusterRole"}) +
clusterRoleBinding.withSubjects([{kind: "ServiceAccount", name: "node-exporter", namespace: namespace}])
}

26
jsonnet/node-exporter/node-exporter-cluster-role.libsonnet
View File

@@ -1,26 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local clusterRole = k.rbac.v1.clusterRole;
local policyRule = clusterRole.rulesType;
local authenticationRole = policyRule.new() +
policyRule.withApiGroups(["authentication.k8s.io"]) +
policyRule.withResources([
"tokenreviews",
]) +
policyRule.withVerbs(["create"]);
local authorizationRole = policyRule.new() +
policyRule.withApiGroups(["authorization.k8s.io"]) +
policyRule.withResources([
"subjectaccessreviews",
]) +
policyRule.withVerbs(["create"]);
local rules = [authenticationRole, authorizationRole];
{
new()::
clusterRole.new() +
clusterRole.mixin.metadata.withName("node-exporter") +
clusterRole.withRules(rules)
}

58
jsonnet/node-exporter/node-exporter-daemonset.libsonnet
View File

@@ -1,58 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local daemonset = k.apps.v1beta2.daemonSet;
local container = daemonset.mixin.spec.template.spec.containersType;
local volume = daemonset.mixin.spec.template.spec.volumesType;
local containerPort = container.portsType;
local containerVolumeMount = container.volumeMountsType;
local podSelector = daemonset.mixin.spec.template.spec.selectorType;
local nodeExporterVersion = "v0.15.2";
local kubeRbacProxyVersion = "v0.3.0";
local podLabels = {"app": "node-exporter"};
local procVolumeName = "proc";
local procVolume = volume.fromHostPath(procVolumeName, "/proc");
local procVolumeMount = containerVolumeMount.new(procVolumeName, "/host/proc");
local sysVolumeName = "sys";
local sysVolume = volume.fromHostPath(sysVolumeName, "/sys");
local sysVolumeMount = containerVolumeMount.new(sysVolumeName, "/host/sys");
local nodeExporter =
container.new("node-exporter", "quay.io/prometheus/node-exporter:" + nodeExporterVersion) +
container.withArgs([
"--web.listen-address=127.0.0.1:9101",
"--path.procfs=/host/proc",
"--path.sysfs=/host/sys",
]) +
container.withVolumeMounts([procVolumeMount, sysVolumeMount]) +
container.mixin.resources.withRequests({cpu: "102m", memory: "180Mi"}) +
container.mixin.resources.withLimits({cpu: "102m", memory: "180Mi"});
local proxy =
container.new("kube-rbac-proxy", "quay.io/coreos/kube-rbac-proxy:" + kubeRbacProxyVersion) +
container.withArgs([
"--secure-listen-address=:9100",
"--upstream=http://127.0.0.1:9101/",
]) +
container.withPorts(containerPort.newNamed("https", 9100)) +
container.mixin.resources.withRequests({cpu: "10m", memory: "20Mi"}) +
container.mixin.resources.withLimits({cpu: "20m", memory: "40Mi"});
local c = [nodeExporter, proxy];
{
new(namespace)::
daemonset.new() +
daemonset.mixin.metadata.withName("node-exporter") +
daemonset.mixin.metadata.withNamespace(namespace) +
daemonset.mixin.metadata.withLabels(podLabels) +
daemonset.mixin.spec.selector.withMatchLabels(podLabels) +
daemonset.mixin.spec.template.metadata.withLabels(podLabels) +
daemonset.mixin.spec.template.spec.withContainers(c) +
daemonset.mixin.spec.template.spec.withVolumes([procVolume, sysVolume]) +
daemonset.mixin.spec.template.spec.securityContext.withRunAsNonRoot(true) +
daemonset.mixin.spec.template.spec.securityContext.withRunAsUser(65534) +
daemonset.mixin.spec.template.spec.withServiceAccountName("node-exporter")
}

8
jsonnet/node-exporter/node-exporter-service-account.libsonnet
View File

@@ -1,8 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local serviceAccount = k.core.v1.serviceAccount;
{
new(namespace)::
serviceAccount.new("node-exporter") +
serviceAccount.mixin.metadata.withNamespace(namespace)
}

38
jsonnet/node-exporter/node-exporter-service-monitor.libsonnet
View File

@@ -1,38 +0,0 @@
{
new(namespace)::
{
"apiVersion": "monitoring.coreos.com/v1",
"kind": "ServiceMonitor",
"metadata": {
"name": "node-exporter",
"namespace": namespace,
"labels": {
"k8s-app": "node-exporter"
}
},
"spec": {
"jobLabel": "k8s-app",
"selector": {
"matchLabels": {
"k8s-app": "node-exporter"
}
},
"namespaceSelector": {
"matchNames": [
"monitoring"
]
},
"endpoints": [
{
"port": "https",
"scheme": "https",
"interval": "30s",
"bearerTokenFile": "/var/run/secrets/kubernetes.io/serviceaccount/token",
"tlsConfig": {
"insecureSkipVerify": true
}
}
]
}
}
}

14
jsonnet/node-exporter/node-exporter-service.libsonnet
View File

@@ -1,14 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local service = k.core.v1.service;
local servicePort = k.core.v1.service.mixin.spec.portsType;
local nodeExporterDaemonset = import "node-exporter-daemonset.libsonnet";
local nodeExporterPort = servicePort.newNamed("https", 9100, "https");
{
new(namespace)::
service.new("node-exporter", nodeExporterDaemonset.new(namespace).spec.selector.matchLabels, nodeExporterPort) +
service.mixin.metadata.withNamespace(namespace) +
service.mixin.metadata.withLabels({"k8s-app": "node-exporter"})
}

8
jsonnet/node-exporter/node-exporter.libsonnet
View File

@@ -1,8 +0,0 @@
{
clusterRoleBinding:: import "node-exporter-cluster-role-binding.libsonnet",
clusterRole:: import "node-exporter-cluster-role.libsonnet",
daemonset:: import "node-exporter-daemonset.libsonnet",
serviceAccount:: import "node-exporter-service-account.libsonnet",
service:: import "node-exporter-service.libsonnet",
serviceMonitor:: import "node-exporter-service-monitor.libsonnet",
}

12
jsonnet/prometheus-operator/prometheus-operator-cluster-role-binding.libsonnet
View File

@@ -1,12 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
{
new(namespace)::
clusterRoleBinding.new() +
clusterRoleBinding.mixin.metadata.withName("prometheus-operator") +
clusterRoleBinding.mixin.roleRef.withApiGroup("rbac.authorization.k8s.io") +
clusterRoleBinding.mixin.roleRef.withName("prometheus-operator") +
clusterRoleBinding.mixin.roleRef.mixinInstance({kind: "ClusterRole"}) +
clusterRoleBinding.withSubjects([{kind: "ServiceAccount", name: "prometheus-operator", namespace: namespace}])
}

81
jsonnet/prometheus-operator/prometheus-operator-cluster-role.libsonnet
View File

@@ -1,81 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local clusterRole = k.rbac.v1.clusterRole;
local policyRule = clusterRole.rulesType;
local extensionsRule = policyRule.new() +
policyRule.withApiGroups(["extensions"]) +
policyRule.withResources([
"thirdpartyresources",
]) +
policyRule.withVerbs(["*"]);
local apiExtensionsRule = policyRule.new() +
policyRule.withApiGroups(["apiextensions.k8s.io"]) +
policyRule.withResources([
"customresourcedefinitions",
]) +
policyRule.withVerbs(["*"]);
local monitoringRule = policyRule.new() +
policyRule.withApiGroups(["monitoring.coreos.com"]) +
policyRule.withResources([
"alertmanagers",
"prometheuses",
"prometheuses/finalizers",
"alertmanagers/finalizers",
"servicemonitors",
]) +
policyRule.withVerbs(["*"]);
local appsRule = policyRule.new() +
policyRule.withApiGroups(["apps"]) +
policyRule.withResources([
"statefulsets",
]) +
policyRule.withVerbs(["*"]);
local coreRule = policyRule.new() +
policyRule.withApiGroups([""]) +
policyRule.withResources([
"configmaps",
"secrets",
]) +
policyRule.withVerbs(["*"]);
local podRule = policyRule.new() +
policyRule.withApiGroups([""]) +
policyRule.withResources([
"pods",
]) +
policyRule.withVerbs(["list", "delete"]);
local routingRule = policyRule.new() +
policyRule.withApiGroups([""]) +
policyRule.withResources([
"services",
"endpoints",
]) +
policyRule.withVerbs(["get", "create", "update"]);
local nodeRule = policyRule.new() +
policyRule.withApiGroups([""]) +
policyRule.withResources([
"nodes",
]) +
policyRule.withVerbs(["list", "watch"]);
local namespaceRule = policyRule.new() +
policyRule.withApiGroups([""]) +
policyRule.withResources([
"namespaces",
]) +
policyRule.withVerbs(["list"]);
local rules = [extensionsRule, apiExtensionsRule, monitoringRule, appsRule, coreRule, podRule, routingRule, nodeRule, namespaceRule];
{
new()::
clusterRole.new() +
clusterRole.mixin.metadata.withName("prometheus-operator") +
clusterRole.withRules(rules)
}

28
jsonnet/prometheus-operator/prometheus-operator-deployment.libsonnet
View File

@@ -1,28 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local version = "v0.19.0";
local deployment = k.apps.v1beta2.deployment;
local container = k.apps.v1beta2.deployment.mixin.spec.template.spec.containersType;
local containerPort = container.portsType;
local targetPort = 8080;
local podLabels = {"k8s-app": "prometheus-operator"};
local operatorContainer =
container.new("prometheus-operator", "quay.io/coreos/prometheus-operator:" + version) +
container.withPorts(containerPort.newNamed("http", targetPort)) +
container.withArgs(["--kubelet-service=kube-system/kubelet", "--config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1"]) +
container.mixin.resources.withRequests({cpu: "100m", memory: "50Mi"}) +
container.mixin.resources.withLimits({cpu: "200m", memory: "100Mi"});
{
new(namespace)::
deployment.new("prometheus-operator", 1, operatorContainer, podLabels) +
deployment.mixin.metadata.withNamespace(namespace) +
deployment.mixin.metadata.withLabels(podLabels) +
deployment.mixin.spec.selector.withMatchLabels(podLabels) +
deployment.mixin.spec.template.spec.securityContext.withRunAsNonRoot(true) +
deployment.mixin.spec.template.spec.securityContext.withRunAsUser(65534) +
deployment.mixin.spec.template.spec.withServiceAccountName("prometheus-operator")
}

8
jsonnet/prometheus-operator/prometheus-operator-service-account.libsonnet
View File

@@ -1,8 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local serviceAccount = k.core.v1.serviceAccount;
{
new(namespace)::
serviceAccount.new("prometheus-operator") +
serviceAccount.mixin.metadata.withNamespace(namespace)
}

26
jsonnet/prometheus-operator/prometheus-operator-service-monitor.libsonnet
View File

@@ -1,26 +0,0 @@
{
new(namespace)::
{
"apiVersion": "monitoring.coreos.com/v1",
"kind": "ServiceMonitor",
"metadata": {
"name": "prometheus-operator",
"namespace": namespace,
"labels": {
"k8s-app": "prometheus-operator"
}
},
"spec": {
"endpoints": [
{
"port": "http"
}
],
"selector": {
"matchLabels": {
"k8s-app": "prometheus-operator"
}
}
}
}
}

14
jsonnet/prometheus-operator/prometheus-operator-service.libsonnet
View File

@@ -1,14 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local service = k.core.v1.service;
local servicePort = k.core.v1.service.mixin.spec.portsType;
local poDeployment = import "prometheus-operator-deployment.libsonnet";
local poServicePort = servicePort.newNamed("http", 8080, "http");
{
new(namespace)::
service.new("prometheus-operator", poDeployment.new(namespace).spec.selector.matchLabels, [poServicePort]) +
service.mixin.metadata.withNamespace(namespace)
}

8
jsonnet/prometheus-operator/prometheus-operator.libsonnet
View File

@@ -1,8 +0,0 @@
{
clusterRoleBinding:: import "prometheus-operator-cluster-role-binding.libsonnet",
clusterRole:: import "prometheus-operator-cluster-role.libsonnet",
deployment:: import "prometheus-operator-deployment.libsonnet",
serviceAccount:: import "prometheus-operator-service-account.libsonnet",
service:: import "prometheus-operator-service.libsonnet",
serviceMonitor:: import "prometheus-operator-service-monitor.libsonnet",
}

12
jsonnet/prometheus/prometheus-k8s-cluster-role-binding.libsonnet
View File

@@ -1,12 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
{
new(namespace)::
clusterRoleBinding.new() +
clusterRoleBinding.mixin.metadata.withName("prometheus-k8s") +
clusterRoleBinding.mixin.roleRef.withApiGroup("rbac.authorization.k8s.io") +
clusterRoleBinding.mixin.roleRef.withName("prometheus-k8s") +
clusterRoleBinding.mixin.roleRef.mixinInstance({kind: "ClusterRole"}) +
clusterRoleBinding.withSubjects([{kind: "ServiceAccount", name: "prometheus-k8s", namespace: namespace}])
}

21
jsonnet/prometheus/prometheus-k8s-cluster-role.libsonnet
View File

@@ -1,21 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local clusterRole = k.rbac.v1.clusterRole;
local policyRule = clusterRole.rulesType;
local nodeMetricsRule = policyRule.new() +
policyRule.withApiGroups([""]) +
policyRule.withResources(["nodes/metrics"]) +
policyRule.withVerbs(["get"]);
local metricsRule = policyRule.new() +
policyRule.withNonResourceUrls("/metrics") +
policyRule.withVerbs(["get"]);
local rules = [nodeMetricsRule, metricsRule];
{
new()::
clusterRole.new() +
clusterRole.mixin.metadata.withName("prometheus-k8s") +
clusterRole.withRules(rules)
}

5
jsonnet/prometheus/prometheus-k8s-role-binding-config.libsonnet
View File

@@ -1,5 +0,0 @@
local prometheusNamespaceRoleBinding = import "prometheus-namespace-role-binding.libsonnet";
{
new(namespace):: prometheusNamespaceRoleBinding.new(namespace, namespace, "prometheus-k8s-config", "prometheus-k8s")
}

5
jsonnet/prometheus/prometheus-k8s-role-binding-default.libsonnet
View File

@@ -1,5 +0,0 @@
local prometheusNamespaceRoleBinding = import "prometheus-namespace-role-binding.libsonnet";
{
new(namespace):: prometheusNamespaceRoleBinding.new(namespace, "default", "prometheus-k8s", "prometheus-k8s")
}

5
jsonnet/prometheus/prometheus-k8s-role-binding-kube-system.libsonnet
View File

@@ -1,5 +0,0 @@
local prometheusNamespaceRoleBinding = import "prometheus-namespace-role-binding.libsonnet";
{
new(namespace):: prometheusNamespaceRoleBinding.new(namespace, "kube-system", "prometheus-k8s", "prometheus-k8s")
}

5
jsonnet/prometheus/prometheus-k8s-role-binding-namespace.libsonnet
View File

@@ -1,5 +0,0 @@
local prometheusNamespaceRoleBinding = import "prometheus-namespace-role-binding.libsonnet";
{
new(namespace):: prometheusNamespaceRoleBinding.new(namespace, namespace, "prometheus-k8s", "prometheus-k8s")
}

18
jsonnet/prometheus/prometheus-k8s-role-config.libsonnet
View File

@@ -1,18 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local role = k.rbac.v1.role;
local policyRule = role.rulesType;
local configmapRule = policyRule.new() +
policyRule.withApiGroups([""]) +
policyRule.withResources([
"configmaps",
]) +
policyRule.withVerbs(["get"]);
{
new(namespace)::
role.new() +
role.mixin.metadata.withName("prometheus-k8s-config") +
role.mixin.metadata.withNamespace(namespace) +
role.withRules(configmapRule),
}

5
jsonnet/prometheus/prometheus-k8s-role-default.libsonnet
View File

@@ -1,5 +0,0 @@
local prometheusNamespaceRole = import "prometheus-namespace-role.libsonnet";
{
new():: prometheusNamespaceRole.new("default")
}

5
jsonnet/prometheus/prometheus-k8s-role-kube-system.libsonnet
View File

@@ -1,5 +0,0 @@
local prometheusNamespaceRole = import "prometheus-namespace-role.libsonnet";
{
new():: prometheusNamespaceRole.new("kube-system")
}

5
jsonnet/prometheus/prometheus-k8s-role-namespace.libsonnet
View File

@@ -1,5 +0,0 @@
local prometheusNamespaceRole = import "prometheus-namespace-role.libsonnet";
{
new(namespace):: prometheusNamespaceRole.new(namespace)
}

9
jsonnet/prometheus/prometheus-k8s-rules.libsonnet
View File

@@ -1,9 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local configMap = k.core.v1.configMap;
{
new(namespace, ruleFiles)::
configMap.new("prometheus-k8s-rules", ruleFiles) +
configMap.mixin.metadata.withLabels({role: "alert-rules", prometheus: "k8s"}) +
configMap.mixin.metadata.withNamespace(namespace)
}

8
jsonnet/prometheus/prometheus-k8s-service-account.libsonnet
View File

@@ -1,8 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local serviceAccount = k.core.v1.serviceAccount;
{
new(namespace)::
serviceAccount.new("prometheus-k8s") +
serviceAccount.mixin.metadata.withNamespace(namespace)
}

40
jsonnet/prometheus/prometheus-k8s-service-monitor-apiserver.libsonnet
View File

@@ -1,40 +0,0 @@
{
new(namespace)::
{
"apiVersion": "monitoring.coreos.com/v1",
"kind": "ServiceMonitor",
"metadata": {
"name": "kube-apiserver",
"namespace": namespace,
"labels": {
"k8s-app": "apiserver"
}
},
"spec": {
"jobLabel": "component",
"selector": {
"matchLabels": {
"component": "apiserver",
"provider": "kubernetes"
}
},
"namespaceSelector": {
"matchNames": [
"default"
]
},
"endpoints": [
{
"port": "https",
"interval": "30s",
"scheme": "https",
"tlsConfig": {
"caFile": "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
"serverName": "kubernetes"
},
"bearerTokenFile": "/var/run/secrets/kubernetes.io/serviceaccount/token"
}
]
}
}
}

35
jsonnet/prometheus/prometheus-k8s-service-monitor-coredns.libsonnet
View File

@@ -1,35 +0,0 @@
{
new(namespace)::
{
"apiVersion": "monitoring.coreos.com/v1",
"kind": "ServiceMonitor",
"metadata": {
"name": "coredns",
"namespace": namespace,
"labels": {
"k8s-app": "coredns"
},
},
"spec": {
"jobLabel": "k8s-app",
"selector": {
"matchLabels": {
"k8s-app": "coredns",
"component": "metrics"
}
},
"namespaceSelector": {
"matchNames": [
"kube-system"
]
},
"endpoints": [
{
"port": "http-metrics",
"interval": "15s",
"bearerTokenFile": "/var/run/secrets/kubernetes.io/serviceaccount/token"
}
]
}
}
}

33
jsonnet/prometheus/prometheus-k8s-service-monitor-kube-controller-manager.libsonnet
View File

@@ -1,33 +0,0 @@
{
new(namespace)::
{
"apiVersion": "monitoring.coreos.com/v1",
"kind": "ServiceMonitor",
"metadata": {
"name": "kube-controller-manager",
"namespace": namespace,
"labels": {
"k8s-app": "kube-controller-manager"
}
},
"spec": {
"jobLabel": "k8s-app",
"endpoints": [
{
"port": "http-metrics",
"interval": "30s"
}
],
"selector": {
"matchLabels": {
"k8s-app": "kube-controller-manager"
}
},
"namespaceSelector": {
"matchNames": [
"kube-system"
]
}
}
}
}

33
jsonnet/prometheus/prometheus-k8s-service-monitor-kube-scheduler.libsonnet
View File

@@ -1,33 +0,0 @@
{
new(namespace)::
{
"apiVersion": "monitoring.coreos.com/v1",
"kind": "ServiceMonitor",
"metadata": {
"name": "kube-scheduler",
"namespace": namespace,
"labels": {
"k8s-app": "kube-scheduler"
}
},
"spec": {
"jobLabel": "k8s-app",
"endpoints": [
{
"port": "http-metrics",
"interval": "30s"
}
],
"selector": {
"matchLabels": {
"k8s-app": "kube-scheduler"
}
},
"namespaceSelector": {
"matchNames": [
"kube-system"
]
}
}
}
}

49
jsonnet/prometheus/prometheus-k8s-service-monitor-kubelet.libsonnet
View File

@@ -1,49 +0,0 @@
{
new(namespace)::
{
"apiVersion": "monitoring.coreos.com/v1",
"kind": "ServiceMonitor",
"metadata": {
"name": "kubelet",
"namespace": namespace,
"labels": {
"k8s-app": "kubelet"
}
},
"spec": {
"jobLabel": "k8s-app",
"endpoints": [
{
"port": "https-metrics",
"scheme": "https",
"interval": "30s",
"tlsConfig": {
"insecureSkipVerify": true
},
"bearerTokenFile": "/var/run/secrets/kubernetes.io/serviceaccount/token"
},
{
"port": "https-metrics",
"scheme": "https",
"path": "/metrics/cadvisor",
"interval": "30s",
"honorLabels": true,
"tlsConfig": {
"insecureSkipVerify": true
},
"bearerTokenFile": "/var/run/secrets/kubernetes.io/serviceaccount/token"
}
],
"selector": {
"matchLabels": {
"k8s-app": "kubelet"
}
},
"namespaceSelector": {
"matchNames": [
"kube-system"
]
}
}
}
}

32
jsonnet/prometheus/prometheus-k8s-service-monitor-prometheus.libsonnet
View File

@@ -1,32 +0,0 @@
{
new(namespace)::
{
"apiVersion": "monitoring.coreos.com/v1",
"kind": "ServiceMonitor",
"metadata": {
"name": "prometheus",
"namespace": namespace,
"labels": {
"k8s-app": "prometheus"
}
},
"spec": {
"selector": {
"matchLabels": {
"prometheus": "k8s"
}
},
"namespaceSelector": {
"matchNames": [
"monitoring"
]
},
"endpoints": [
{
"port": "web",
"interval": "30s"
}
]
}
}
}

12
jsonnet/prometheus/prometheus-k8s-service.libsonnet
View File

@@ -1,12 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local service = k.core.v1.service;
local servicePort = k.core.v1.service.mixin.spec.portsType;
local prometheusPort = servicePort.newNamed("web", 9090, "web");
{
new(namespace)::
service.new("prometheus-k8s", {app: "prometheus", prometheus: "k8s"}, prometheusPort) +
service.mixin.metadata.withNamespace(namespace) +
service.mixin.metadata.withLabels({prometheus: "k8s"})
}

43
jsonnet/prometheus/prometheus-k8s.libsonnet
View File

@@ -1,43 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local container = k.core.v1.pod.mixin.spec.containersType;
local resourceRequirements = container.mixin.resourcesType;
local selector = k.apps.v1beta2.deployment.mixin.spec.selectorType;
local resources = resourceRequirements.new() +
resourceRequirements.withRequests({memory: "400Mi"});
{
new(namespace)::
{
apiVersion: "monitoring.coreos.com/v1",
kind: "Prometheus",
metadata: {
name: "k8s",
namespace: namespace,
labels: {
prometheus: "k8s",
},
},
spec: {
replicas: 2,
version: "v2.2.1",
serviceAccountName: "prometheus-k8s",
serviceMonitorSelector: selector.withMatchExpressions({key: "k8s-app", operator: "Exists"}),
ruleSelector: selector.withMatchLabels({
role: "alert-rules",
prometheus: "k8s",
}),
resources: resources,
alerting: {
alertmanagers: [
{
namespace: "monitoring",
name: "alertmanager-main",
port: "web",
},
],
},
},
}
}

13
jsonnet/prometheus/prometheus-namespace-role-binding.libsonnet
View File

@@ -1,13 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local roleBinding = k.rbac.v1.roleBinding;
{
new(serviceAccountNamespace, namespace, roleName, serviceAccountName)::
roleBinding.new() +
roleBinding.mixin.metadata.withName(roleName) +
roleBinding.mixin.metadata.withNamespace(namespace) +
roleBinding.mixin.roleRef.withApiGroup("rbac.authorization.k8s.io") +
roleBinding.mixin.roleRef.withName(roleName) +
roleBinding.mixin.roleRef.mixinInstance({kind: "Role"}) +
roleBinding.withSubjects([{kind: "ServiceAccount", name: serviceAccountName, namespace: serviceAccountNamespace}])
}

21
jsonnet/prometheus/prometheus-namespace-role.libsonnet
View File

@@ -1,21 +0,0 @@
local k = import "ksonnet.beta.3/k.libsonnet";
local role = k.rbac.v1.role;
local policyRule = role.rulesType;
{
new(namespace)::
local coreRule = policyRule.new() +
policyRule.withApiGroups([""]) +
policyRule.withResources([
"nodes",
"services",
"endpoints",
"pods",
]) +
policyRule.withVerbs(["get", "list", "watch"]);
role.new() +
role.mixin.metadata.withName("prometheus-k8s") +
role.mixin.metadata.withNamespace(namespace) +
role.withRules(coreRule)
}

22
jsonnet/prometheus/prometheus.libsonnet
View File

@@ -1,22 +0,0 @@
{
clusterRoleBinding:: import "prometheus-k8s-cluster-role-binding.libsonnet",
clusterRole:: import "prometheus-k8s-cluster-role.libsonnet",
roleBindingConfig:: import "prometheus-k8s-role-binding-config.libsonnet",
roleBindingNamespace:: import "prometheus-k8s-role-binding-namespace.libsonnet",
roleBindingKubeSystem:: import "prometheus-k8s-role-binding-kube-system.libsonnet",
roleBindingDefault:: import "prometheus-k8s-role-binding-default.libsonnet",
roleConfig:: import "prometheus-k8s-role-config.libsonnet",
roleNamespace:: import "prometheus-k8s-role-namespace.libsonnet",
roleKubeSystem:: import "prometheus-k8s-role-kube-system.libsonnet",
roleDefault:: import "prometheus-k8s-role-default.libsonnet",
rules:: import "prometheus-k8s-rules.libsonnet",
serviceAccount:: import "prometheus-k8s-service-account.libsonnet",
serviceMonitorApiserver:: import "prometheus-k8s-service-monitor-apiserver.libsonnet",
serviceMonitorCoreDNS:: import "prometheus-k8s-service-monitor-coredns.libsonnet",
serviceMonitorControllerManager:: import "prometheus-k8s-service-monitor-kube-controller-manager.libsonnet",
serviceMonitorScheduler:: import "prometheus-k8s-service-monitor-kube-scheduler.libsonnet",
serviceMonitorKubelet:: import "prometheus-k8s-service-monitor-kubelet.libsonnet",
serviceMonitorPrometheus:: import "prometheus-k8s-service-monitor-prometheus.libsonnet",
service:: import "prometheus-k8s-service.libsonnet",
prometheus:: import "prometheus-k8s.libsonnet",
}